| Roger Abell [MVP] 2006-11-13, 8:59 am |
| Hi Dan,
For your detailed questions on the IIS docs relative to minimum required
user rights, and perhaps also for verification of IIS 6's behavior relative
to restoring which user rights to its default-form named IUsr_ and IWam_
accounts I am cross-posting this to the inetserver.iis.security newsgroup.
Hopefully David, Bernard, Ken, or another can clarify your specifc
questions on the doc conflicts.
As to your test, after the build, and before or after the join, but
certainly before use of SCW, it would have been telling if you had
removed the IUsr_machine and IWam_machine accounts from their
user rights grants and then stopped and restarted all IIS services (i.e.
IIS Admin and dependents). At one point during beta the IIS 6 team
was talking about extending the IIS 5 behavior of guaranteeing user
rights grants to all accounts (not just the default named ones), but I
was very vocal against this (as a sys admin I do not want _anything_
touching what rights grants I have defined, even for the default named
accounts) and I think they relented some but did keep the IIS-ish
behavior for the default named accounts. I will check later after
I get to the shop to see if there is something I can infer without tests.
It would be a pretty simple test with a W2k3 virt machine image
around (longhorn has pretty much pushed these out of storage for me).
Roger
"Dan Kyle" <beaker@Spamsucks.com> wrote in message
news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
> Thanks for the info Roger,
>
> Here is some further testing I have done.
>
> Created a new Server and installed IIS. Looked at the Local security
> policy and saw that the default rights for IUSR and IWAM users are there.
> Added the Server to the domain without and GPO's applied...Local Security
> policy remains the same (obviously). I then moved the Server to the
> required OU which has the Member server GPO applied and rebooted. Looked
> at the Local security policy and the IUSR and IWAM users are no longer in
> any of the User rights (which coincides with my Member server GPO
> settings). I then ran the SCW on the server utilizing only the IIS
> settings, created and applied the policy. Rebooted and found that the
> Default user rights for IUSR and IWAM REAPPEARED in the Local Security
> policy!!
>
> TO test I renamed the winlogon.log file made a small change to the Member
> server GPO and rebooted. Same behaviour. I was not able to make any
> changes to the Local security policy either. Checking the winlogon.log
> file it shows that the IUSR, IWAM and IIS_WPG users are REMOVED from user
> rights, does not show then as being added and yet they remain in the local
> security policy.
>
> This is highly unusual. Thing is..it is more or less what I want but I
> need to understand why this behaviour is happening to document it.
>
> As an aside....I am confused by some conflicting microsoft documentation
> concerning IUSR user rights. the "IIS and Built-in Accounts(IIS)"
> Microsoft document states that the IUSR user requires explicit membership
> in the "allow logon locally", "access this computer from the network" and
> "logon as a batch job". The conflict lies in the IIS Help file which
> states "In IIS 6.0, NETWORK_CLEARTEXT is the default logon type for
> Anonymous Authentication (and for Basic authentication). One result is
> that Anonymous authentication no longer requires the Allow log on locally
> user right". SO...what is the real answer?? Funny thing is...on the new
> server with only the Member server GPO applied with no rights given to
> IUSR user...I am able to browse the static web site on the server with
> only anonymous authentication enabled...very strange. Again..I must be
> missing something obvious..
>
> Look forward to your response.
>
> Is ANYONE else using SCW and noticing this behaviour?
>
> Dan
>
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uldUmz7AHHA.2316@TK2MSFTNGP04.phx.gbl...
>
>
|